Operation of a security module in a card reader

ABSTRACT

Card reader having a control interface  18  for controlling  12  the card reader from the exterior, and a device for reading data cards, particularly chip cards, and also having a security module  20,  where a request arriving via the control interface  18  is forwarded to the security module  20,  and the latter&#39;s output is reformatted, if appropriate, and is forwarded to the data card, where it is checked.

CROSS-REFERENCE TO RELATED APPLICATION

[0001] This application is entitled to the benefit of and incorporatesby reference essential subject matter disclosed in InternationalApplication No. PCT/DE01/01465 filed on Apr. 14, 2001 and German PatentApplication No. 100 22 314.1 filed on May 9, 2000.

TECHNICAL FIELD

[0002] The invention relates to the flow control in card readers formagnetic or chip cards in which a security module is provided.

PRIOR ART

[0003] In many areas, particularly in self service appliances such ascash dispenser machines, cards in check-card or credit-card format areused which have magnetically coded tracks or electronic circuitsproduced in the card. The latter cards are commonly referred to as chipcards. When using these cards, card readers are required which can beused to make contact with the chip cards or to read the magneticallycoded information on magnetic-strip cards.

[0004] Such card readers are also used, in particular, to ascertain theidentity of a person using an appliance. For this purpose, the cardshold a coded password, also referred to as a PIN. Besides chip cardscontaining a cryptographic processor, there are also chip cards in usewhich do not allow the password to be read, but only allow it to becompared internally. These chip cards then require the password to betransmitted in plain text via the card reader's external interface whichis provided.

[0005] It is therefore an object of the invention to specify a solutionwhich does not require the password in plain text outside of the cardreader.

DESCRIPTION OF THE INVENTION

[0006] The invention uses the insight that the object can be achieved bya security module in the card reader. For this purpose, an encryptedpassword is sent via the external interface, is sent to the securitymodule, is decrypted there and is sent directly to the chip card,generally in recoded form.

[0007] Other features and advantages of the invention can be found inthe description below, which explains the invention using an exemplaryembodiment in conjunction with the appended drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0008] In the drawing,

[0009]FIG. 1 shows a schematic illustration of components of a cardreader in which the invention can be used.

DESCRIPTION OF AN EMBODIMENT OF THE INVENTION

[0010]FIG. 1 is a schematic illustration of a card reader 10 in which acard, in this case a chip card 11, can be moved and hence inserted andoutput in a guide channel 14. A controller 12 brings about this actionusing a drive 13. The chip card 11 has contacts 15 which are connectedto mating contacts 16. This action is brought about by the controller12, possibly together with the drive 13 and further means.

[0011] The card reader also comprises a security module 20 which isconnected to the controller 12. This security module is designed suchthat an attempt to open it destroys the stored data. Such a securitymodule 20 therefore stores, in particular, keys for symmetricalencryption methods. So as not to have to reveal the key, the securitymodule decrypts, if appropriate, data which are transmitted to it viathe connection by the controller 12. The interface for such a securitymodule is frequently the same as that for a chip card. It can also be inthe form of a chip card, which means that a second corresponding contactstation is required. Preferably, however, a version for integratedcircuits is used which is more reliable and takes up less space.

[0012] In addition, the card reader comprises a control interface 18which is used to control the card reader. In many cases, this controlinterface 18 is in the form of a serial interface, known by theabbreviation ‘V24’. FIG. 1 shows a superordinate controller 31 with adata transmission link 30 which operates this control interface 18.

[0013] Alternatively, such a card reader can also read cards having amagnetic track, which is not shown in FIG. 1. The contact unit 16 forthis can be thought of as a magnetic reading head.

[0014] The inventive method is applied as follows, for example:

[0015] A chip card 11 belonging to a customer will be assumed to havebeen connected by the contact station 16. The chip card 11 contains astored password, called a PIN in the field of banking. Although thispassword cannot be read, provision is made for the password to be sentto the chip card 11 in plain text and for said chip card 11 then toperform the check for identity.

[0016] The card readers known to date therefore require the password tobe transferred to the control interface 18 in plain text in order forthe controller 12 to forward it to the chip card. This path issymbolized by the curved double-headed arrow 22 inside the controller12. However, the control interface 18 is frequently a standardizedinterface which is relatively simple to tap. In addition, the controlinterface 18 is frequently operated by a computer having a normaloperating system, which could in turn be a target for attacks.

[0017] The card reader has access to a security module 20 whichcontains, in particular, a decryption section. This security module isoperated via the control interface 18. In particular, an encryptedpassword is sent from the superordinate controller 31 to the securitymodule 20 for the purpose of decryption, and the decrypted password issent back via the control interface by the security module. This path issymbolized by the curved double-headed arrow 21 inside the controller12. The superordinate controller 31 picks up the password and forms afurther order to the controller 12 for the purpose of sending thedecrypted password to the chip card 11.

[0018] The invention avoids transmitting the password via the controlinterface 18 twice by virtue of the controller 12 being designed suchthat the result returned by the security module 20 is forwarded,generally after reformatting, directly to the chip card. This path issymbolized by the curved double-headed arrow 23 inside the controller12.

[0019] It will be assumed that the control interface has received acommand which contains the password in encrypted form. This command ischaracterized, generally by means of a code field, such that it needs tobe passed to the security module 20 and the result of the securitymodule's handling must not be returned via the control interface, butrather can be forwarded only to the chip card. In this case, the resultis precisely the decrypted password which is sent to the chip card. Thechip card makes a comparison with the password stored on it and deliversa statement regarding whether there is a match. To support thisoperation, provision is made for a preliminary instruction to be used tospecify, particularly by specifying a position and a length, where inthe security module's response the decrypted password needs to beextracted. In the same or in a further preliminary instruction, thecontroller is notified of that coded instruction into which theextracted password needs to be fitted. This can be done by specifying acharacter string which needs to be placed in front and one which needsto be placed behind.

[0020] The password is preferably encrypted in the actual keypad unitinto which the user enters the password or the PIN. This means that thearea in which the password is visible in unencrypted form is limited tothe interior of the keypad and of the card reader. The devices requiredfor this purpose are already provided in the keypads on cash machines.If appropriate, recoding can also take place if the keypad and thesecurity module have no common key. In this case, the cash machine'scontroller is connected to a central control station which has access toboth keys in a secure environment and uses the keypad's key fordecryption and uses the card reader's key for decryption within thissecure environment.

[0021] In card readers having a magnetic track, the invention can beapplied to the extent that the information needing to be compared withthe magnetic track can be sent to the card reader in encrypted form, isdecrypted by said card reader and is then compared directly in the cardreader with the data read from the magnetic track. This means that thedata are less exposed to an attack; an attacker planning an attack usinga relatively large amount of magnetic track data must then get hold ofthese data physically. In this respect, the security is increased atleast slightly.

1. A method of operation for a card reader which contains: a controller 12 having a control interface 18 for controlling the card reader from the exterior, a card interface 40 for chip cards which can be interchanged under operational conditions, which is connected to the controller 12, a security module 20 having a module interface 41 which is connected to the controller 12, having the following steps: an authorization request arriving via the control interface 18 is forwarded in the form of instruction sequences to the security module 20, which then produces an intermediate result, the intermediate result in the security module 20 is compared with data transmitted via the card interface 40, and is evaluated, by the computer in the chip card, the result of the evaluation is output via the control interface 18 and is processed further by the superordinate controller
 31. 2. The method as claimed in claim 1, where the card interface 40 is an interface for chip cards, and the check is made by transmitting the intermediate result directly to the chip card.
 3. The method as claimed in claim 2, where a preliminary instruction is used to send a data record to the controller 12 via the control interface 18, said data record being forwarded to the chip card in combination with the intermediate result from the security module
 20. 4. The method as claimed in one of the preceding claims, where the security module 20 decrypts transmitted data.
 5. A card reader having means for carrying out the method as claimed in one of the preceding claims.
 6. A method of operating a self service appliance, particularly a cash dispenser machine, having an input keypad and an input controller which comprises an encrypter and a keypad interface, a card reader and a card reader controller which comprises a decrypter and a control interface, a data transmission device which is used to transmit an output on the keypad interface to the control interface, having the following steps: a character sequence which is input on the input keypad for the purpose of authorization is encrypted by the encrypter associated with the input keypad and is held in an output on the keypad interface, the encrypted character sequence is transmitted to the control interface 18 by the data transmission device, the card reader controller transfers the encrypted character sequence to the decrypter associated with the card reader for the purpose of decryption, the decrypted character sequence is compared with the data, stored on the chip card, on a card which is in the card reader, and only that result of the check which, in the event of matching data, allows the self service appliance to be used, but not the decrypted character sequence, is output via the control interface
 18. 7. The method as claimed in claim 4, where the decrypted character sequence is transmitted to a chip card, where it is compared with the data stored on the chip card.
 8. A self service appliance having means for carrying out one of the methods as claimed in claim 4 or
 5. 